ssh woes on windows

John Arbash Meinel john at arbash-meinel.com
Wed Jul 30 18:49:40 BST 2008 

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Mark Hammond wrote:
| Hi John,
|
| A month ago, you wrote:
|
|> My best guess is that your key isn't properly uploaded to Launchpad.
|> Looking here:
|> https://edge.launchpad.net/~mhammond/+sshkeys
|>
|> I only see a "ssh-dss" public key, which I believe is a "DSA" key, not
|> an RSA key. And IIRC, Launchpad no longer allows access via DSA keys.
|
| Yes, something was a little strange with my keys on launchpad, and
that does explain much of the strangeness I saw.  I've since
experimented in a much more "controlled" environment with the state of
bzr and ssh on Windows.
|
|> I like using ssh.exe because I have it configured already. It knows
|> what
|> usernames I'm going to be using to access different hosts (jameinel
|> here, jam, there, bzr_conversion on that machine.) It knows if I have 3
|> different keys and I want to use a different one for each host. (Though
|> with any agent, you pretty much just load all your keys in, and then go
|> from there.)
|>
|> Both paramiko and ssh are able to prompt for the passphrases on my
|> keys.
|
| Yeah, I've found that paramiko does correctly prompt for your
passphrase in the same way as using ssh explicitly (ie, only the key
that will actually be used is prompted).  However, I have found one
critical difference - paramiko seems unable to use (cygwin's) ssh-agent
on Windows.  I recently sent a mail to the paramiko list, but the short
story is that once ssh-agent is setup correctly, BZR_SVN=ssh will use
the agent, while BZR_SVN=paramiko will still prompt for the passphrase,
just as ssh itself does if the agent isn't running.
|
| FWIW, Paramiko will automatically try *both* the pageant keys and the
default id_dsa/id_rsa keys.
|
| So - getting back to the original point of this mail - what should the
default ssh implementation be on Windows?  If paramiko supported
ssh-agent, its obvious to me that paramiko should be the default.  Would
you agree?
|

Not really. My basic feeling is that ssh.exe is available and on the
path, someone went to a lot of trouble to set it up that way. (Windows
certainly doesn't come with it by default, and it *definitely* doesn't
install it into your PATH unless you manually go fix things up.)

Thus I would still say "if ssh.exe is found, use it".

I won't say the same for plink.exe because it doesn't work properly a
lot of the time.

I *wish* pageant would be smart enough to know about a possible ssh-key
that I would want it to prompt me for. But as is, you have to manually
add the key to the list of known keys every time you start your machine.

| But - given the state of things today, whatever we choose, someone
potentially "looses" (ie, needs to explicitly change BZR_SVN):
|
| * If we choose 'search for ssh, fallback to paramiko', the person who
uses pageant to manage their keys but also has ssh.exe on their path
will need to set BZR_SSH=paramiko (or plink), else they will see a
cryptic error message ("ERROR: Connection closed...") and the operation
will fail.
|

I think this is an extremely minority case. Why would you have ssh.exe
on your path and use pageant? You have to work hard to install it and
set it into your PATH. It isn't like it happens in a default install.

| * If we choose paramiko, the person using ssh-agent must set
BZR_SSH=ssh, otherwise they will be prompted each time for their
passphrase - but once supplied, the operation will succeed.
|
| The way I see things is:
|
| * Windows users are far more likely to use pageant to manage their
keys, but there is also a reasonable change a copy of ssh.exe will be
found on PATH (it is for me ;)
|

I think you are far from a majority of windows users. I think there is a
*slim* chance that ssh.exe is present *and* that the users don't *use* it.


| * In the failure scenarios above, the person using ssh-agent still
works - just not optimally.  However, the person using pageant fails to
work at all, and there isn't a clear indication how the problem should
be fixed for them.
|
| All of which leads me to the conclusion that even without ssh-agent
support, paramiko should still be the default ssh implementation.  Is
there something I've missed in the above?  Any other thoughts?
|
| Thanks,
|
| Mark
|
|

My big disagreement is in the likelihood of having an unconfigured
ssh.exe in your path and planning on using pageant. If you've gone to
the trouble of installing ssh.exe, you can probably set up
BZR_SSH=paramiko at the same time. (Since you edited your path, and
setting the env var is done in the same dialog.)

Especially considering that with win32 bzr, my .ssh/id_dsa files are not
where paramiko would *look*. Cygwin uses C:/cygwin/home/jameinel/.ssh/*
not C:\Users\jameinel\.ssh\*

So in *my* case, using paramiko would *just fail*, without any obvious
way of getting it to use my ssh key. :)

John
=:->
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (Cygwin)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iEYEARECAAYFAkiQqbQACgkQJdeBCYSNAAO19wCgi1+xY6TiWS6UNqA53fpqsn1i
rGoAn1tkT+f4BprC25jqsD3NLgCSTtLO
=Hxsp
-----END PGP SIGNATURE-----

More information about the bazaar mailing list